dolphin
A builder-configurable Rust x64 RAT/infostealer family that masquerades as NVIDIA Display Container LS and communicates over WebSocket/TLS. Internally self-identifies as dolphin in strings, paths (svc\\polymorph.rs), and file artifacts (dolphin_agent.log, dolphin_http_hook.dll). The builder supports toggles for anti-analysis, self-morphing (poly/meta/ultra), E2E AES-GCM encryption, and an extensive tasking surface of ~80 ServerMessage commands covering credential theft, remote access, gaming loot, crypto clipping, lateral movement, and anti-forensics.
Build Stack
| Component | Version / Detail |
|---|---|
| Language | Rust — rustc 59807616e1fa2540724bfbac14d7976d7e4a3860 (approx nightly 2024) |
| Linker | MSVC 14.44 (Visual Studio 2022) |
| Async runtime | tokio 1.52.1 |
| WebSocket | tokio-tungstenite 0.21.0 |
| Serialization | serde_json 1.0.149 |
| Crypto | bcrypt (BCrypt* APIs), DPAPI (CryptUnprotectData), AES-GCM for embedded config |
| Graphics | gdiplus (screenshots) |
| Compression | zip 0.6.6 |
| PDB path | java_update_scheduler_557655.pdb |
Capabilities
- credential-dumping-browser-storage
- credential-dumping-wallet-dpapi
- credential-dumping-telegram-tdata
- credential-dumping-discord-tokens
- crypto-wallet-seed-extraction-exodus
- crypto-wallet-seed-extraction-atomic
- crypto-wallet-seed-extraction-ledger
- crypto-clipboard-clipper-btc-eth-ltc-xmr-sol-trx
- browser-injection-bitwarden-ipc-hook
- browser-injection-exodus-electron-hook
- browser-injection-ledger-electron-hook
- browser-injection-telegram-electron-hook
- browser-injection-discord-electron-hook
- browser-http-intercept-named-pipe
- rat-vnc-hidden-vnc
- rat-shell-remote-shell
- rat-keylogger-audio-webcam
- rat-screen-capture-gdiplus
- lateral-movement-smb-wmi-winrm
- lateral-movement-usb-spread
- lateral-discovery-network-scan
- persistence-registry-run
- persistence-scheduled-task
- persistence-service-install
- defense-evasion-process-hollowing
- defense-evasion-dll-injection
- defense-evasion-shellcode-injection
- defense-evasion-polymorphic-morph
- defense-evasion-melt-self-delete
- defense-evasion-block-russian-egress
- defense-evasion-anti-vm-debugger-check
- defense-evasion-critical-process-set
- defense-evasion-wipe-prefetch-eventlogs-traces
- defense-evasion-defender-exclusion-disable
- c2-websocket-tls-hardcoded-host
- c2-websocket-auth-token
- c2-e2e-aes256gcm-handshake
- c2-heartbeat-5s
- c2-dead-drops-fallback-hosts
- proxy-port-forward-upnp-revsocks
- impact-miner-deploy-stress-test
- impact-fake-lockscreen-freeze-update
- impact-ransom-prank-mousejitter-screen-invert
- discovery-systeminfo-public-ip-geo
- discovery-gaming-process-enumeration
- exfil-zip-archive-loot
- exfil-clipboard-monitoring
- exfil-smart-screenshot
- exfil-export-all-selective
Variants / Aliases
- Internal strings also reference
hedgehogandpledgeas alternative project names, butdolphinis the dominant runtime branding. - Builder produces morph-mode variants: Off, Poly, Meta, Ultra.
Notable Analyses
raw/analyses/ca6be0bf2f87/report.md— First full deep-dive; static-only (no CAPE x64 guest); C2dolphin.dark-matter-analytics.com:32768; WebSocket auth tokenf58d15520b35a1c619914048470bf17cf262b61cc994b4b8347e71a26d15e729; masquerade as NVIDIA Display Container LS; targets 200+ gaming titles and 50+ crypto wallets.
Related Entities
- rust-async-rat-framework — shared build pattern: Rust + tokio + tungstenite + serde_json + AES-GCM config + builder-driven feature toggles.